U.S. small business owners are guilty of wishful thinking when it comes to cybersecurity, a new survey shows.
While three-fourths (77 percent) say their company is safe from hackers, viruses, malware and cybersecurity breaches, 83 percent have no formal plan to address these threats. The sponsors of National Cyber Security Awareness month, now under way, have their work cut out for them.
The threat is real. Targeted cyberattacks against small and medium-size businesses (SMBs) have more than doubled, jumping from 18 percent in 2011 to 36 percent in 2012. Yet two-thirds (66 percent) of SMBs are unconcerned about cyberthreats — either external or internal, according to a survey of 1,015 SMBs in the United States released by the National Cyber Security Alliance and Symantec, a provider of security services and software.
And they're woefully unprepared to handle data breach losses. Nearly six out of 10 (59 percent) SMBs do not have a contingency plan outlining procedures for responding and reporting data breach losses, the survey found.
The lack of policies and procedures is uniform across the cybersecurity ecosystem, the survey found. Eighty-seven percent of SMBs do not have an informal Internet security policy, and 70 percent do not have policies for employee social media use, even though social media have become an increasingly popular vector for phishing attacks.
In spite of this vacuum, though, SMBs are satisfied with their online safety posture. A sizable majority (86 percent) say they are satisfied with the amount of security they provide to protect customer or employee data. And 83 percent strongly or somewhat agree that they are doing enough or making enough investments to protect customer data.
"It's terrifying that the majority of U.S. small businesses believe their information is protected, yet so many do not have the required policies or protection in place to remain safe," said Brian Burch, Symantec vice president of small business marketing in the Americas. "Almost 40 percent of the over 1 billion cyberattacks Symantec prevented in the first three months of 2012 targeted companies with less than 500 employees. And for the small, poorly protected companies that suffer an attack, it's often fatal to their business."